Friday, January 29, 2010

Online finance flaw: Ameriprise FAIL...again

Here we go again.The cross-site scripting (XSS) issues on the Ameriprise advisor locator site were fixed, even if temporarily, back when Dan Goodin reported on the issue in August. A little bird whispered in my ear the other day and told me a sad tale: they're baaaaack.Regression testing anyone?Regression testing (from the Wikipedia entry recommends that: "in most software development situations it is considered good practice that when a bug is located and fixed, a test that exposes the bug is recorded and regularly retested after subsequent changes to the program. What a grand idea! Ensure that you don't reintroduce old flaws when you roll old code.Really? I have to say it?Apparently.

Dan & El Reg have covered the issue again given that, in order to have it fixed again, I had to ask him to ping the Ameriprise PR department.

What is the best Toolmsith tool of the last ten years?

ASJA Awards Prize Winning Article

Subscribe To HolisticInfoSec

About Me

Russ McRee runs the Blue Team for Microsoft's Windows and Devices Group (WDG). He writes the monthly column toolsmith. Russ has spoken infosec events such Defcon, Black Hat, RSA,and FIRST and has published in the likes of Information Security, Linux Magazine, (IN)SECURE, and SysAdmin. As an advocate of a holistic approach to information security, Russ' website is holisticinfosec.org.
He also serves as a volunteer handler for the SANS Internet Storm Center.